[libvirt-users] spice session locking
Hi List, Is it possible to prevent other clients from stealing my libvirtd hosted spice session? This is a problem for me where multiple co-workers access the same guest over a qemu+ssh:// connection. Instead of simply disconnecting clients, I'd like libvirtd to deny the new client. I've been looking at polkit acl rules and the vnc sharePolicy attribute but so far no luck.
On 13.02.2015 16:19, Jon Doe wrote:
Hi List,
Is it possible to prevent other clients from stealing my libvirtd hosted spice session? This is a problem for me where multiple co-workers access the same guest over a qemu+ssh:// connection. Instead of simply disconnecting clients, I'd like libvirtd to deny the new client.
I've been looking at polkit acl rules and the vnc sharePolicy attribute but so far no luck.
I think the only possible way is to set a password to protect the SPICE session. You know, libvirt doesn't interfere into SPICE connection process. And the sharePolicy attribute exists only for VNC. SPICE doesn't seem to support that. Michal
Any idea how to do this with virsh or hooks? Qemu seems to have a spice.set_ticket command, but calling this from virsh's 'qemu-monitor-command guest --hmp --cmd spice.set_ticket password' doesn't work. The password would somehow have to be reset once the client logs out. On Mon, Feb 16, 2015 at 11:50 AM, Michal Privoznik <mprivozn@redhat.com> wrote:
On 13.02.2015 16:19, Jon Doe wrote:
Hi List,
Is it possible to prevent other clients from stealing my libvirtd hosted spice session? This is a problem for me where multiple co-workers access the same guest over a qemu+ssh:// connection. Instead of simply disconnecting clients, I'd like libvirtd to deny the new client.
I've been looking at polkit acl rules and the vnc sharePolicy attribute but so far no luck.
I think the only possible way is to set a password to protect the SPICE session. You know, libvirt doesn't interfere into SPICE connection process. And the sharePolicy attribute exists only for VNC. SPICE doesn't seem to support that.
Michal
On 16.02.2015 14:09, Jon Doe wrote:
Any idea how to do this with virsh or hooks? Qemu seems to have a spice.set_ticket command, but calling this from virsh's 'qemu-monitor-command guest --hmp --cmd spice.set_ticket password' doesn't work.
No, that won't work, because apparently, Qemu/SPICE folks have thought that if SPICE was started without a password, it's meant to be open and therefore password cannot be set afterward. Or vice versa - if SPICE was started with a password, it can't be removed. But yes, it can be changed. Moreover, you certainly don't want to bypass libvirt on this. We have an attribute for that //graphics/@passwd.
The password would somehow have to be reset once the client logs out.
Yep, that's how RHEV does it. You can set the password in domain XML, and set it to timeout shortly (//graphoics/@passwdValidTo). Michal
participants (2)
-
Jon Doe -
Michal Privoznik